The size of massive distributed denial-of-service attacks continues to grow, hitting yet another new high on March 5, with a report of a 1.7-Tbps attack.
The attack was reported by Netscout Arbor and came just four short days after the March 1 report of the then largest DDoS attack at 1.35 Tbps against GitHub. Both of the record breaking DDoS attacks were enabled via improperly configured memcached servers that reflected attack traffic, amplifying the total volume.
“The attack was targeted to a single customer of the service provider,” Carlos Morales, vice president of Arbor’s Security Engineering and Response Team, told eWEEK. “There is no indication that there were any demands.”
Memcached is a widely used open-source tool for distributed memory object caching. DDoS attackers are taking aim at servers that have been left open and exposed to the internet, sending UDP traffic that is then reflected to a target victim. US-CERT warned in a technical alert on UDP-based amplification attacks that the BAF (Bandwidth Amplification Factor) for memcached DDoS attack is anywhere from 10,000 to 51,000. BAF is calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared with the number of UDP payload bytes of the request.
Memcached DDoS amplification attacks were first publicly reported on Feb. 27. At the time, Cloudflare reported attack traffic volume of 260 Gbps and Akamai reported seeing attack traffic volume of 190 Gbps. The attack volume spiked to 1.35 Tbps on March 1 and surged further on March 5 in the attack reported by Arbor.
At this point in time, it’s not clear who is behind the memcached DDoS attacks, though there are some indicators about where the traffic is coming from. Vulnerable memcached servers can be found all over the world, and Morales noted that the 1.7-Tbps attack was distributed from a wide variety of sources.
“The top source country was the United States at nearly 50 percent of the traffic at peak,” he said. “The other sources in the top 5 included France, Netherlands, UK and Australia.”
One potential origination source for the memcached DDoS attacks is from Booter or Stresser servers that provide DDoS-as-a-service capabilities.
“Based on the diverse set of targets and industries that have been seeing memcached attacks, it is very likely that this vector has been added to one or more Booter/Stresser DDoS services available commercially,” Morales said.
Although Arbor reported that a customer of a North American service provider was the target of the 1.7-Tbps DDoS attack, there likely was also widespread collateral damage. Many organizations and data centers rely on 10-Gbps links, which likely would become saturated as a result of a 1.7-Tbps attack.
“This size of attack certainly causes collateral damage throughout the internet and in particular on networks closer to the victim network,” Morales said. “With the amount of possible amplification per memcache host, it is likely that a number of local links became saturated outbound where the servers are located.”
Dealing with the new memcached DDoS threat is not a trivial task. For organizations that run memcached servers, the best practice configuration is to not have them publicly exposed to the internet.
Arbor Networks also recommends that network operators make use of IETF Best Current Practice (BCP) source-address validation techniques, which define approaches for network ingress filtering such as BCP38 and BCP84.
Unfortunately, however, it’s not likely that all memcached server owners will properly configure their servers or that all service providers will properly filter traffic. As such, another way to deal with a volumetric DDoS attack is to have more bandwidth available than the attack size.
“Arbor Cloud has over 7 Tbps total capacity available for mitigation, and there are plans in place to expand further over the next 12 months,” Morales said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.